Till now almost all Hacking Truths manuals have been Windows centric. I have always kept the newbie Windows user in mind, while writing manuals. However, with the growing popularity of Linux and the fact that Linux is considered to be the Hacker’s OS, I decided to start a *nix series.

Getting Root on a Linux machine

As you read this manual, you will discover that our basic aim always remains the same, i.e. we want to get root. Now, root is nothing but sort of a sort user, who has maximum privileges, and can do whatever he wants to do on a system. ‘Root’ is to *nix what administrator is to Windows NT. If you get root then you can practically control each and every aspect of the system. You could, remove accounts, delete files, disable daemons, and even format the entire system.

******************
NEWBIE NOTE: Getting root is considered to be really really elite especially in schools. If you are able to get root in your school network, then you practically get transformed into a semi-god, but why? Well, the reasons are pretty obvious. Aren’t they?

******************

OK, I am really interested. How do I do it? Well, in this section, we are not going to run any C program nor are we going to do any kind of coding, but we will simply exploit a small vulnerability existing in a feature which comes with Linux. This will work almost 9 times out of 10, however, if you plan to use this technique to get ‘root’ on your ISP, then forget it pal. The technique explained below is quite common and the system administrator would probably be smart enough to cover up this security loophole.

Before we move on, there is one thing that you need to keep in mind. i.e. For this to work, you need to have physical access to the target system. Anyway, boot the target system and wait for the LInux LOader or LILO Prompt to come up.

At the LILO prompt type ‘linux single’ (without Quotes) or ‘linux 1’ to get the root shell where you can practically do anything.

Once Linux single is running, you get the root shell where you can type can any command which is accepted by the default shell on your system. Now, here, type ‘linuxconf’. This will bring up a blue screen, which is the Linux Configuration Utility. Then, click on Users > Root Password. This will allow you to change the root password!!! Yes, you read right, change the root password. Scroll down further, and you could also add new accounts with root privileges.

The linux config utility is certainly not a hole in Linux. It was actually designed to help, if the root password was forgotten.

Well, there is yet another way in which we can get root. In the first method, we typed ‘linuxconf’ in the bash shell prompt, however, we could type the following to create a new account with root privileges and without any password:

echo “ankit::0:0:::” >> /etc/passwd

This ommand will basically edit the /etc/passwd file which is the password file which stores the Passwords and Usernames of all accounts on the machine. One thing to remember here is that you can edit the /etc/passwd file only if you are logged in as root, however, in this case we are not logged in as root, but we have booted into linux single which gives us the root shell. Hence, we can still edit it.

Anyway, to understand how exactly the above command works and how it is able to create a new account without a password, we need to learn the /etc/passwd file is structured.

The following is a line from a password file:

ankit:my_password:2:3:Ankit Fadia:/home/ankit:/bin/bash

The above can in turn be broken up into:

Username: ankit

Encrypted Password: my_password

User number: 2

Group Number: 3

Actual Name: Ankit Fadia (Optional)

Home Directory: /home/ankit (Optional)

Type of Shell: /bin/bash (Optional)

In our command, we have not included the optional fields and the password field of a typical password file line. Our command:

echo “ankit::0:0:::” >> /etc/passwd

can be rewritten as:

Username: ankit

Encrypted Password:

User number: 0

Group Number: 0

Actual Name:

Home Directory:

Type of Shell:

This basically creates a new account with root privileges, which can be used as a Backdoor into the system.

**********************

HACKING TRUTH: If you have enabled, shadow passwords, then the command will change to:

echo “ankit::0:0:::” >> /etc/shadow

A typical line from the password file on a system with Shadow Passwords enabled is as follows:

ankit:*:2:3:Ankit Fadia:/home/ankit:/bin/bash

In a shadowed password file what happens is that the password field is replaced by a ' * ' (The ' * ' is called a token.) such that the encrypted password does not show up in the password file and the list of encrypted passwords is stored in a different file which is not readable by normal users.

Subscribe in a reader